Friday, June 4, 2010

During a recent discussion at work, the benefits of a sound security program outside of the context of repelling malicious assaults came up. What would be the gain of a security program if there was no one attempting to break into a network? How would the role of security for Information Technology change? Would security careers come to a crashing halt?To give the discussion a framework, the following parameters were agreed upon:

Suddenly everybody in the world is neither malicious nor unscrupulous.

While there is still competition in industry, it is driven only by the idea that each competitor in an industry will attempt to outperform their competition by creating better products at a lower cost, but there will be no espionage or market for trade secrets.

Nobody is intentionally harming the network or systems, so there will be no worms, Trojans, or computer viruses.

This is global, so as to remove the possibility of foreign attackers, military or otherwise.

People would still be capable of errors and would have disagreements founded in misunderstanding, but these disagreements would be settled through mediation or court, or rock-paper-scissors.

We talked about this for a while, but had no way to quantify either side of the argument.

So in this world with “No bad guys, period.” what benefit would there be to a security program? What would be areas where things would remain the same? What would be able to be removed from a security program? What does this mean to how we look at security programs as they currently exist?

To make things simple I thought it would be easiest to measuring what percentages of change would occur in a recognized Information Security Management Standard, BS7799. This way I could determine what changes would occur to security programs more globally. By using a recognized standard I felt it would be more appropriate than what one company or another might find useful for their individualized needs.

The next step was to go through the standard and determine if its components would stay or go. To do this an audit checklist of the BS7799 by Val Thiagarajan, available through SANS, was used to concisely summarize the intent of the standard, as it’s directed questioning leads to each sections focus. The results, with the rationale used in determining each section decided fate, assuming this is a standards based program for a medium sized business, founded on the three principals of security; availability, integrity, and confidentiality, can be found here:

By tallying up the results, albeit subjectively, it was found that even without “bad guys”, 77.95 percent of the BS7799 is still applicable. This bodes well for justification of a security program, even in a world free of bad guys. Unsurprisingly, based on the outlined framework in which the subject was approached, for a medium business, the dramatic swing away from confidentiality towards integrity and availability maintained the need of a security program. Availability and integrity are key to processing orders, a major factor in most businesses. What was surprising was the extent to which the standard approached these two areas, given the amount of emphasis typically seen in security postings on mitigating against attackers. It crystallized further during this process how underrepresented the principles of availability and integrity are in most security conversations, given their weight. I hear a lot of “What will you do if this box gets compromised?” and very little “What is your plan if your RAID array gets corrupted?” at the speaking engagements I go to. Without paying attention to these core concepts the program can get very lopsided.

Hopefully this will help lend perspective to anyone that a hacker hasn’t yet breached that there is a need for a sound security program. Furthermore, this will hopefully guide people towards looking into their business continuity programs to revisit how impactful their systems can be on cash coming in to their businesses, and how important it is to develop a security program with processes in place to ensure access to and/or with the foresight to recover these systems.

Even without bad guys security would play a vital role for Information Technology, though it may change its name to “Continuity Planning”.